Return-Path: 
 <users-return-33890-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 81349 invoked from network); 25 Oct 2003 14:28:47 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 25 Oct 2003 14:28:47 -0000
Received: (qmail 58968 invoked by uid 500); 25 Oct 2003 14:28:31 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 58957 invoked by uid 500); 25 Oct 2003 14:28:30 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 58944 invoked from network); 25 Oct 2003 14:28:30 -0000
Received: from unknown (HELO tconl.com) (204.26.80.9)
  by daedalus.apache.org with SMTP; 25 Oct 2003 14:28:30 -0000
Received: from xavier ([10.98.9.241])
	by tconl.com (8.11.6/8.11.6) with ESMTP id h9PESWR09511
	for <users@httpd.apache.org>; Sat, 25 Oct 2003 09:28:32 -0500
To: users@httpd.apache.org
From: Larry McFarlane <LMcFarlane@tconl.com>
Content-Type: text/plain; format=flowed; charset=iso-8859-15
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Date: Sat, 25 Oct 2003 09:28:10 -0500
Message-ID: <oprxlrs8wu4i6abc@mail.tconl.com>
User-Agent: Opera7.21/Win32 M2 build 3218
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
Subject: [users@httpd] Apache Security
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Hello,

Will someone let me know if I'm on the ball here.  I've just reviewed our 
production system and don't like what I see.

Apache starts up as root, creates the pid, and switches to the dodo user 
that you specify in the httpd.conf file.

An Admin should make sure that all of Apache's files (including your 
document root) is owned and grouped by root.

The attributes of the files in document root should have ReadWrite, Read, 
Read attributes.  CGI is out of the picture here and isn't relevant.

The reason for this is in case Apache is exploited, Apache won't be able 
to go on a rampage because the file system is protected by root.
Apache, now operating as the dodo user will in theory, be denied.

The only reason why I feel you should assign different users/groups to 
Apache's directory tree is when the server is a development/staging
server.  You wouuld probably want to do this if you want your developers 
access to specific directories/files and not overwrite someone else's
work.  When migrating to production, only a root user should be able to 
migrate the changes to ensure that all files maintain root permissions.

Any input would be greatly appreciated!


-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org